User Mangement using CHEF and AWS OpsWorks

来源:转载

CHEFis the most popular configuration management tool in the market these days as CHEF turns infrastructure into code and you can do almost anything using it. Recipes are the heart of CHEF. OpsWorks has been gaining a lot of momentum for last few months, the major factor being its support for CHEF. So,in this blog we will be discussing how we can can manage users on multiple machines and their permissions as well. You will see how easy it is to do so and manage all the configurations as well. The recipes I have used can be shared can be used independent of OpsWorks with minimal changes.

USE-CASE

I had multiple users on my machines. Whenever there was a new user who joined the firm to give him access on those machines I had to manually go and add the user to that machine. Also, adding the user to a group was necessary so that permissions could be managed at the level of groups. So, I had to thinkof a way out and to manage all this through one click using CHEF and OpsWorks. We will be using a CHEF recipeand passing values to those using Opsworks data-bags and deploying the configs using one click deployment in OpsWorks. What OpsWorks does is that it creates a copy of your GitHub repo locally to itself and then executes the recipes when we specify which one to execute. Since, we are usingdata bags in our recipes, we will give input values to them as JSON through OpsWorks.

The above script will create users based on the JSON values we pass in OpsWorks. It will create a .ssh folder inside the home directory of the user as well and append the ssh-keys inside the authorized_keys file.

Recipe 2: This will be used to create groups. We will need to pass values to it using OpsWorks: groups = data_bag("group")groups.each do |group| group_data = data_bag_item('group', group) group group_data['id'] do gid group_data["gid"] members group_data["members"] endend Recipe 3: Next we would need a script which will help us modify our sudoers file inside sudoers.d:

Now, just push the recipe to a git repository inside the cookbook user (or any other name of your choice).The structure should be like this:repo->master-branch->cookbook->recipes->recipe1.rb, recipe2.rb, recipe3.rb

EXECUTING RECIPES 1. Creating a user on servers according to Recipe 1 and giving input to the recipe using OpsWorks.

Go to the AWS OpsWorks console. I am assuming that you already have created a stack and added instances to the stack. Remember it supports not all the OS versions so you might want to check the compatibility. From the Dashboard select the stack:

Next, is adding the GitHub repo to your stack settings in order for you to use the recipe we created:

Click on edit inside Stack Settings :

Now, just enter the GitHub repo. details:

Now, go to Deployments :

.

You will be taken to the following page:

Just go ahead and click on Run Command and it should take you to the below page:

Select Execute Recipes from the drop-down and enter the cookbook name and recipe name as shown in the image.We are using cookbook named “final” and recipe named “createuserwithsudo”. When entering them in the Recipes to execute box use “ :: ” (two colons) to separate them.

You need to replace the user1, 2 and 3 with user-name you want on the server. Also, replace the ssh-keys with the ones associated with the user. The password for the user needs to be generated via open-ssl. CHEF recipe won’t take password in normal text format. Also,

sudo== true means user will have root privileges. Next, click on Execute Recipes after choosing the instances of the stack on which you want the recipe to be executed:

So, you are done!After the recipe is executed, it will show you the results then and there. Also, if you wish to see logs of a previously executed recipe click on the date & time and it should take you to the particular command’s page where you can see logs as well:

If you make any changes to your recipes in your GitHub, after pushing the changes you need to go to “ Run Command” and select Update Cookbooks :

The user will be created on the specified servers .

2. Now, if you wish to add the newly created user to a group

Simply execute the Recipe 2 . It will create a group if it does not exist already and then add the users to the group. Execute the recipe as we did before. Enter the cookbook name and recipe name:

Use Recipe 3 for this. Just go ahead and run the recipe. I have written some basics commands which can be allowed for a group. You can use this however you like. Remember to update cookbooks in OpsWorks console so that the changes in GitHub repo are reflected here. Just simply execute the recipe as we have done earlier, choose the server and it will append to the file inside sudoers.d

For example: /etc/sudoers.d/serveralpha

You need to make changes to the recipe according to your use case and names of files.In case you make changes to the recipe make sure you run the Update Cookbooks command as I have shown in step 1.

This is the basic way of handling users on your servers using CHEF. In my next blog, I shall talk about more use-cases of CHEF. Follow me on Twitter @ ranvijayj